Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 04:39
Static task
static1
Behavioral task
behavioral1
Sample
14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe
Resource
win10v2004-en-20220113
General
-
Target
14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe
-
Size
168KB
-
MD5
cce4e7ebab94c2ced267a34dfd187525
-
SHA1
2f68f04e7bd67c99ae4ffd039804af999d11f3d7
-
SHA256
14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a
-
SHA512
377f388dce5d62cc911f01e7ea19e937653f1bacea0a2e05375a7ee3ab262b702fd6c67253958000590b57a41911299e5c26bf2c573bc75cb038a685be36e009
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral2/memory/1828-135-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral2/memory/1404-136-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1404 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 260 svchost.exe Token: SeCreatePagefilePrivilege 260 svchost.exe Token: SeShutdownPrivilege 260 svchost.exe Token: SeCreatePagefilePrivilege 260 svchost.exe Token: SeShutdownPrivilege 260 svchost.exe Token: SeCreatePagefilePrivilege 260 svchost.exe Token: SeIncBasePriorityPrivilege 1828 14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe Token: SeBackupPrivilege 1140 TiWorker.exe Token: SeRestorePrivilege 1140 TiWorker.exe Token: SeSecurityPrivilege 1140 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.execmd.exedescription pid process target process PID 1828 wrote to memory of 1404 1828 14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe MediaCenter.exe PID 1828 wrote to memory of 1404 1828 14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe MediaCenter.exe PID 1828 wrote to memory of 1404 1828 14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe MediaCenter.exe PID 1828 wrote to memory of 2304 1828 14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe cmd.exe PID 1828 wrote to memory of 2304 1828 14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe cmd.exe PID 1828 wrote to memory of 2304 1828 14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe cmd.exe PID 2304 wrote to memory of 1888 2304 cmd.exe PING.EXE PID 2304 wrote to memory of 1888 2304 cmd.exe PING.EXE PID 2304 wrote to memory of 1888 2304 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe"C:\Users\Admin\AppData\Local\Temp\14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\14e00851da0fd8ea25ccb064acc7a6a2b27b1c9a0206a2b89a006d2f34085a3a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:260
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
347ef5f9fa506320478c67c64241945f
SHA1baa16bf5d60938d394a20a33f4f53a78a9583b41
SHA256b60d09df19bbacb75a7a57ff3eaea780e32276e51908e5fb90ec2fb2c92d1386
SHA51258d8ef3ffbf698aa7c674f98d8561b1bc5e3da9aa35939adb77bb9063d455b4fe813e3b0e71ae0cc8202ad65a897149b2eacd59e4d78104c097d2a88344656e4
-
MD5
347ef5f9fa506320478c67c64241945f
SHA1baa16bf5d60938d394a20a33f4f53a78a9583b41
SHA256b60d09df19bbacb75a7a57ff3eaea780e32276e51908e5fb90ec2fb2c92d1386
SHA51258d8ef3ffbf698aa7c674f98d8561b1bc5e3da9aa35939adb77bb9063d455b4fe813e3b0e71ae0cc8202ad65a897149b2eacd59e4d78104c097d2a88344656e4